Strong CAPTCHA Guidelines
Jonathan Wilkins -
iSEC Partners, Inc444 Spear Street, Suite 105San Francisco, CA 94105
December 12, 2009
An introduction to developing secure CAPTCHA (Completely Automated Public Turing test to tellComputers and Humans Apart)
systems. In addition to describing common weaknesses in CAPTCHApuzzles, focus is placed on the system as a whole, including replay detection and attack detection.
When abuse is detected on a site, CAPTCHA seems to be the knee jerk response to limiting it. Developershave seen the typical warped character type of challenge currently in common usage and jump to implementone of their own quickly.Here’s a sample used by a WiFi Hotspot.Simply running it through ocropus
yields the correct text: jwilkins@silence :˜$ hocr=0 ocrocmd hotspot
captcha . jpg2di34mThese easily OCR’ed puzzles usually work for a period of time, depending on what asset is beingprotected. Most small sites using a commonly attacked message board software could eﬀectively protectthemselves with a single hard coded question like ’What color is an orange?’. As long as attackers have noreal cause to examine that particular site, the scripts they use to post spam in comments will break and theforum will remain spam free
See a description in appendix A
Though this wouldn’t properly be called a CAPTCHA.